madmatt/silverstripe-encrypt-at-rest
Composer 安装命令:
composer require madmatt/silverstripe-encrypt-at-rest
包简介
Enable encryption of data at rest (in database)
README 文档
README
This module allows Silverstripe CMS ORM data to be encrypted before being stored in the database, and automatically decrypted before using within your application. To do this, we use a secret key known only by the web server.
Caveats to understand
- It's important to note that this module does not guarantee the security of your data completely. You should only use this as a protection measure if you fully understand how the module operates. In most cases, encrypting the entire database is both adequate and similarly effective. Only use this module to encrypt data at-rest (on a field-by-field basis) if your layered protection strategy requires and accomodates it. To be clear - when encrypting data at rest, the data must be decrypted before being used. In almost all cases, the web server hosting the website is far more accessible to attacks than the the database server, meaning that an attacker who can compromise your web server will have access to both the database and the encryption key used to encrypt the data.
- Encrypting and decrypting data on a field-by-field basis has a performance overhead, which may produce undesirable results in your project.
- This module uses the
defuse/php-encryptionlibrary under the hood, which prefers strong security over performance. Encrypting lots of fields on aDataObjectcan significantly slow down any operations that read or write large amounts of data (for exampleModelAdminviews in the CMS that render 50+ records at once can take many seconds of processing power just to decrypt fields). Care should be taken to ensure only the minimal set of data is encrypted, and that this data does not need to be used frequently.
Requirements
- SilverStripe CMS 5.0
Installation
Install via Composer:
composer require madmatt/silverstripe-encrypt-at-rest
Once installed, you need to generate an encryption key that will be used to encrypt all data.
- Generate a hex key with
vendor/bin/generate-defuse-key(tool supplied bydefuse/php-encryption). This will output a ASCII-safe key that starts withdef. - Set this key as the environment variable
ENCRYPT_AT_REST_KEY.
For development environments you can set this in your .env e.g:
ENCRYPT_AT_REST_KEY="{generated defuse key}"
For more information view SilverStripe Environment Management.
Usage
In your DataObject, create new database fields using an encrypted field type. Note: It's not supported to convert an existing field that has data into an encrypted field. This might work but is not guaranteed. You should migrate your data by creating a new field, and creating a task to map old fields to new encrypted fields if necessary.
For example:
use Madmatt\EncryptAtRest\FieldType\EncryptedVarchar; class SecureDataObject extends DataObject { private static $db = [ 'NormalText' => 'Varchar' 'SecureText' => EncryptedVarchar::class ]; }
See the src/FieldType folder for all field types, or review the below list:
Madmatt\EncryptAtRest\FieldType\EncryptedDatetimeMadmatt\EncryptAtRest\FieldType\EncryptedDecimalMadmatt\EncryptAtRest\FieldType\EncryptedEnumMadmatt\EncryptAtRest\FieldType\EncryptedIntMadmatt\EncryptAtRest\FieldType\EncryptedTextMadmatt\EncryptAtRest\FieldType\EncryptedVarchar
Note: When saving in the database, all of these encrypted fields are stored as TEXT column types. This is due to the length of the encrypted data being generally much longer than the original text string. They do not take up table column space, but result in longer query execution times when many fields are included as the database needs to go retrieve all these fields from separate blob storage.
Note 2: These fields all extend from the base data type (e.g. EncryptedDatetime extends DBDatetime) so most common field helper methods can be used (e.g. $DatetimeField.Ago).
Data will be automatically encrypted when values are written to the database, and decrypted whenever that data is read back from the database.
To use decrypted values, you just use the value like you would in any other context. For example:
// Via DataObject::get() $obj = SecureDataObject::get()->first()->SecureText; // Returns the decrypted string from the field // Getting the DB field $obj = SecureDataObject::get()->first(); $field = $obj->dbObject('SecureText'); // Returns an EncryptedVarchar object $uppercase = $field->UpperCase(); // Method on DBString, returns a string
Usage within Silverstripe templates is also straightforward:
<% loop $SecureDataObjects %> <p>$SecureText.UpperCase</p> <% end_loop %>
If you've use the Silverstripe CMS 3 version of this module, you no longer need to rely on the ->getDecryptedValue() method - the value will always be decrypted when accessing it.
Encrypting and decrypting arbitrary text strings and files without using the ORM
You can also encrypt/decrypt arbitrary text strings as well as entire files on the filesystem without using the Silverstripe ORM (e.g. without using DataObject). You might want to do this to securely communicate with an API for example.
use Madmatt\EncryptAtRest\AtRestCryptoService; use SilverStripe\Assets\File; use SilverStripe\Core\Injector\Injector; $text = 'This is an unencrypted string!'; /** @var AtRestCryptoService $service */ $service = Injector::inst()->get(AtRestCryptoService::class); $encryptedText = $service->encrypt($text); // Returns encrypted string starting with `def` $unencryptedText = $service->decrypt($encryptedText); // Returns 'This is an unencrypted string!' $file = File::get()->byID(1); // Presume this is a file that contains the text string above // This will encrypt the file contents, delete the original file from the filesystem and create a new file at the same path with .enc appended to the filename $encryptedFile = $service->encryptFile($file); // This will decrypt the file contents, delete the encrypted file from the filesystem and create a new file at the same path with .enc stripped from the filename $decryptedFile = $service->decryptFile($encryptedFile);
madmatt/silverstripe-encrypt-at-rest 适用场景与选型建议
madmatt/silverstripe-encrypt-at-rest 是一款 基于 PHP 开发的 Composer 扩展包,目前已累计 6.92k 次下载、GitHub Stars 达 7, 最近一次更新时间为 2016 年 03 月 09 日, 在 PHP 生态内属于活跃度较高的组件。
它主要适用于以下技术方向: 「encryption」 「silverstripe」 「decryption」 「encrypt-at-rest」 等业务场景。在实际项目中,围绕这些方向常见需要落地的问题包括:接口对接、性能调优、并发安全、与既有框架(Laravel / ThinkPHP / Yii / Webman 等)的兼容适配,以及生产环境的日志埋点与稳定性保障。
我们在过去多个企业项目中使用过 madmatt/silverstripe-encrypt-at-rest 或与其功能相近的方案,如果你在选型或落地过程中遇到问题,例如 版本兼容、二次改造、私有化封装、与内部系统对接、生产 BUG 排查,欢迎联系我们协助评估。
基于 madmatt/silverstripe-encrypt-at-rest 在你已有业务上做功能扩展、字段裁剪、UI 适配、与内部账号 / 权限 / 日志系统的深度对接。
线上偶发问题、内存泄漏、慢查询、并发异常等排查修复;针对高流量场景做缓存、队列、索引层面的调优。
承接完整的项目从需求 → 设计 → 开发 → 上线 → 长期运维;也可按月提供技术保姆服务。
与 madmatt/silverstripe-encrypt-at-rest 相关的其它包
同方向 / 同关键字的高下载量 PHP Composer 包推荐,方便对比选型:
A simple PHP class to encrypt a string and decrypt an encrypted string
A package for automatically encrypting and decrypting Eloquent attributes in Laravel 5.5+, based on configuration settings.
Encryption with AES-256 and HMAC-SHA256
Allows installation of Laravel where the PHP Mcrypt extension is not available. Provides encryption using OpenSSL, or by disabling encryption entierly.
High-level cryptographic primitives and security utilities for Maatify systems including password hashing, reversible encryption, HKDF key derivation, and key rotation.
统计信息
- 总下载量: 6.92k
- 月度下载量: 0
- 日度下载量: 0
- 收藏数: 7
- 点击次数: 20
- 依赖项目数: 1
- 推荐数: 0
其他信息
- 授权协议: WTFPL
- 更新时间: 2016-03-09